Skip to Content

Hello GRC folks!

Today we configure BusinessObjects Access Control 5.3 SP8 Compliant User Provisioning (CUP).

What we want to do is to

  • approve requests automatically if the risk analysis found no violations
  • start a workflow with manual approval/mitigation/denial process if risk analysis found violations for the request

 Motivation is that you

  • want as little manual system interaction for your approvers as possible
  • possibly have an integrated scenario with Identity Management and a (manager) approval has already been done on the Identity Management (IdM) application side
  • only want to involve approvers, if violations arise

Big picture is that you configure

  • a workflow A with your initiator and a stage with approver determinator  “NO STAGE”
  • a workflow B for the detour with your stage(s) you want to have if violations were found
  • a detour for A which detours to B if SoD violations were found for the request
  • the parameter “Risk Analysis on request submission” to “YES”

CUP should now behave like this

  • Request comes in (manually or via web service from IdM)
  • Risk Analysis (CUP calls RAR via web service) is done and results saved in request
  • Initiator activates your workflow A
  • Detour checks if conditions are met
  • Two options
  •   ->1. No violations found, workflow A goes to stage “No Stage”, approves automatically and optional does autoprovisioning
  •   ->2. Violations found, Detour conditions met, detour from A to B, request arrives at first stage configured in workflow B with all options of CUP (approval, denial, mitiagation,etc.)

Now some screenshots to visualize the configuration

  • Parameter to set (Goto->Configuration->Risk Analysis)


  • Initiator (could be any condition for your use case)


  • Stage with “No Stage” approver determinator


  • The two workflows you need


  • First workflow with no stage


  • Detour workflow if violations detected


  • Detour configuration


Hope this helps your business!

Best regards,

PS: Special thanks to the mastermind of this idea Frank Koehntopp.

To report this post you need to login first.

1 Comment

You must be Logged on to comment or reply to a post.

Leave a Reply